diff mbox

[ovs-dev,RFC,6/8] ovn-northd: Pre-loadbalancing table.

Message ID 1456727604-15784-7-git-send-email-guru@ovn.org
State Changes Requested
Headers show

Commit Message

Gurucharan Shetty Feb. 29, 2016, 6:33 a.m. UTC 
This new table sits before the pre-Stateful table and sets
'reg0' as 1, if the destination ip address of a packet
is a VIP in a loadbalancer object. Setting 'reg0' as 1 will
send the packet through conntrack to get its status (or to
track it.)

Signed-off-by: Gurucharan Shetty <guru@ovn.org>
---
 ovn/northd/ovn-northd.8.xml | 47 ++++++++++++++++++++++++++++++---------------
 ovn/northd/ovn-northd.c     | 46 +++++++++++++++++++++++++++++++++++---------
 2 files changed, 69 insertions(+), 24 deletions(-)
diff mbox

Patch

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index b764848..3117b9a 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -150,17 +150,28 @@ 
       advancing to table 3.
     </p>
 
-    <h3>Ingress Table 2: Pre-STATEFUL</h3>
+    <h3>Ingress Table 2: Pre-loadbalancer</h3>
 
     <p>
-      Ingress table 2 prepares flows for all possible stateful processing
+      Ingress table 2 prepares flows for possible loadbalancing
+      in table 4.  It contains a priority-0 flow that simply moves
+      traffic to next table.  If the destination IP of the packet is a
+      VIP configured in the loadbalancer table, a priority-100 flow
+      is added that sets a hint (with reg0 = 1) for table 3 to send
+      IP packets to the connection tracker before advancing to table 4.
+    </p>
+
+    <h3>Ingress Table 3: Pre-STATEFUL</h3>
+
+    <p>
+      Ingress table 3 prepares flows for all possible stateful processing
       in next tables.  It contains a priority-0 flow that simply moves
-      traffic to table 3.  A priority-100 flow sends the packets to connection
+      traffic to table 4.  A priority-100 flow sends the packets to connection
       tracker based on a hint provided by the previous tables (with a match
       for reg0 == 1).
     </p>
 
-    <h3>Ingress table 3: <code>from-lport</code> ACLs</h3>
+    <h3>Ingress table 4: <code>from-lport</code> ACLs</h3>
 
     <p>
       Logical flows in this table closely reproduce those in the
@@ -175,7 +186,7 @@ 
     </p>
 
     <p>
-      Ingress table 3 also contains a priority 0 flow with action
+      Ingress table 4 also contains a priority 0 flow with action
       <code>next;</code>, so that ACLs allow packets by default.  If the
       logical datapath has a stateful ACL, the following flows will
       also be added:
@@ -207,7 +218,7 @@ 
       </li>
     </ul>
 
-    <h3>Ingress Table 4: STATEFUL</h3>
+    <h3>Ingress Table 5: STATEFUL</h3>
 
     <p>
       It contains a priority-0 flow that simply moves traffic to table 5.
@@ -215,7 +226,7 @@ 
       provided by the previous tables (with a match for reg1 == 1).
     </p>
 
-    <h3>Ingress Table 5: Destination Lookup</h3>
+    <h3>Ingress Table 6: Destination Lookup</h3>
 
     <p>
       This table implements switching behavior.  It contains these logical
@@ -264,32 +275,38 @@  output;
       </li>
     </ul>
 
-    <h3>Egress Table 0: <code>to-lport</code> Pre-ACLs</h3>
+    <h3>Egress Table 0: Pre-loadbalancer</h3>
+
+    <p>
+      This is similar to ingress table 2.
+    </p>
+
+    <h3>Egress Table 1: <code>to-lport</code> Pre-ACLs</h3>
 
     <p>
       This is similar to ingress table 1 except for <code>to-lport</code>
       traffic.
     </p>
 
-    <h3>Egress Table 1: Pre-STATEFUL</h3>
+    <h3>Egress Table 2: Pre-STATEFUL</h3>
 
     <p>
-      This is similar to ingress table 2.
+      This is similar to ingress table 3.
     </p>
 
-    <h3>Egress Table 2: <code>to-lport</code> ACLs</h3>
+    <h3>Egress Table 3: <code>to-lport</code> ACLs</h3>
 
     <p>
-      This is similar to ingress table 3 except for <code>to-lport</code> ACLs.
+      This is similar to ingress table 4 except for <code>to-lport</code> ACLs.
     </p>
 
-    <h3>Egress Table 3: STATEFUL</h3>
+    <h3>Egress Table 4: STATEFUL</h3>
 
     <p>
-      This is similar to ingress table 4.
+      This is similar to ingress table 5.
     </p>
 
-    <h3>Egress Table 4: Egress Port Security</h3>
+    <h3>Egress Table 5: Egress Port Security</h3>
 
     <p>
       This is similar to the ingress port security logic in ingress table 0,
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 9e30bc0..28f5b45 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -87,17 +87,19 @@  enum ovn_stage {
     /* Logical switch ingress stages. */                                \
     PIPELINE_STAGE(SWITCH, IN,  PORT_SEC,     0, "ls_in_port_sec")      \
     PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,      1, "ls_in_pre_acl")       \
-    PIPELINE_STAGE(SWITCH, IN,  PRE_STATEFUL, 2, "ls_in_pre_stateful")  \
-    PIPELINE_STAGE(SWITCH, IN,  ACL,          3, "ls_in_acl")           \
-    PIPELINE_STAGE(SWITCH, IN,  STATEFUL,     4, "ls_in_stateful")      \
-    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,      5, "ls_in_l2_lkup")       \
+    PIPELINE_STAGE(SWITCH, IN,  PRE_LB,       2, "ls_in_pre_lb")        \
+    PIPELINE_STAGE(SWITCH, IN,  PRE_STATEFUL, 3, "ls_in_pre_stateful")  \
+    PIPELINE_STAGE(SWITCH, IN,  ACL,          4, "ls_in_acl")           \
+    PIPELINE_STAGE(SWITCH, IN,  STATEFUL,     5, "ls_in_stateful")      \
+    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,      6, "ls_in_l2_lkup")       \
                                                                         \
     /* Logical switch egress stages. */                                 \
-    PIPELINE_STAGE(SWITCH, OUT, PRE_ACL,      0, "ls_out_pre_acl")      \
-    PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 1, "ls_out_pre_stateful") \
-    PIPELINE_STAGE(SWITCH, OUT, ACL,          2, "ls_out_acl")          \
-    PIPELINE_STAGE(SWITCH, OUT, STATEFUL,     3, "ls_out_stateful")     \
-    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC,     4, "ls_out_port_sec")     \
+    PIPELINE_STAGE(SWITCH, OUT, PRE_LB,       0, "ls_out_pre_lb")       \
+    PIPELINE_STAGE(SWITCH, OUT, PRE_ACL,      1, "ls_out_pre_acl")      \
+    PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \
+    PIPELINE_STAGE(SWITCH, OUT, ACL,          3, "ls_out_acl")          \
+    PIPELINE_STAGE(SWITCH, OUT, STATEFUL,     4, "ls_out_stateful")     \
+    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC,     5, "ls_out_port_sec")     \
                                                                         \
     /* Logical router ingress stages. */                                \
     PIPELINE_STAGE(ROUTER, IN,  ADMISSION,   0, "lr_in_admission")      \
@@ -1024,6 +1026,31 @@  build_pre_acls(struct ovn_datapath *od, struct hmap *lflows,
 }
 
 static void
+build_pre_lb(struct ovn_datapath *od, struct hmap *lflows)
+{
+    /* Allow all packets to go to next tables by default. */
+    ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;");
+    ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;");
+
+    if (od->nbs->loadbalancer) {
+        struct nbrec_load_balancer *lb = od->nbs->loadbalancer;
+        struct smap *vips = &lb->vips;
+        struct smap_node *node;
+
+        SMAP_FOR_EACH (node, vips) {
+            struct ds match = DS_EMPTY_INITIALIZER;
+
+            ds_put_format(&match, "ip && ip4.dst == %s", node->key);
+            ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB,
+                          100, ds_cstr(&match), "reg0 = 1; next;");
+            ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB,
+                          100, "ip", "reg0 = 1; next;");
+            ds_destroy(&match);
+        }
+    }
+}
+
+static void
 build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows)
 {
     /* Ingress and Egress Pre-STATEFUL Table (Priority 0): Packets are
@@ -1177,6 +1204,7 @@  build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
         }
 
         build_pre_acls(od, lflows, ports);
+        build_pre_lb(od, lflows);
         build_pre_stateful(od, lflows);
         build_acls(od, lflows);
         build_stateful(od, lflows);